At 1:21 PM +0100 1/29/09, Jean-Marc Desperrier wrote: >Eddy Nigg wrote: >>[...] >>Well, this thread started out with the request that Mozilla should >>change it's policy to require CAs revoke certificate when the private >>key is known to be compromised. > >Given the practical problems of revoking a very large number of certificates, >I'd consider it acceptable if the policy only requires the CA to : >- make the client aware of the situation >- get the certificate promply replaced if it is actually used on an open >network. >- revoke it if there's a failure to get it replaced within an acceptable >timeframe
That feels insufficient to me. I also disagree that there are "practical problems of revoking a very large number of certificates". The worst problem is that the CRL will grow; that's no big deal, it is supposed to grow. Again, I support "must revoke as soon as you believe that the private key has been compromised". -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto